Uncategorized —

Huge hole in MS Passport

We haven't really been covering the neverending parade of MS security holes, but this one is too big to pass up. From the BBC's coverage:

Microsoft has admitted that for the last seven months up to 200 million Passport accounts have been vulnerable to plundering by thieves and malicious hackers. The loophole in the online identity service only seems to have been exploited in the last month and Microsoft said it had locked all compromised accounts and fixed the bug...

The Passport bug was found by Muhammad Faisal Rauf Danka, a freelance computer security consultant. Some of the Passport accounts owned by Mr Danka and his friends had been hijacked. In discovering how this was done, he found the website that gives privileged access to personal accounts and lets passwords be reset.

"It was so simple to do it. It shouldn't have been so simple," said Mr Danka, "Anyone could have done this." Reportedly Mr Danka sent 10 messages to Microsoft detailing the vulnerability but got no response.

Microsoft only reacted when information about the flaw was posted online.